The present invention relates to a technology to deliver content, and more specifically to a content transmission control device that executes routing control to limit the delivery range of content, a device to deliver content and a device to receive content.
Services to deliver content such as motion pictures and music through communication means of the Internet, satellite broadcasting, etc. have been proposed. Data handled in such services is digitized, which allows easy duplication. It is therefore important to protect copyrights of the content. As one of the protection means, a method of enciphering and delivering content has been proposed. With the method, content is enciphered, and a decryption key to decrypt the enciphered content is simultaneously generated. Since the enciphered content cannot be reproduced without the decryption key, it is possible to prevent fraudulent use of content by managing a license consisting of a pair of a decryption key and use conditions thereof, thus enabling to protect rights of copyright owners of content.
In addition, when delivered on the Internet, content is delivered via a plurality of networks. Such networks are connected to each other via respective devices called “router” which controls data transmission. The content issued from a device is delivered to a receiving terminal through a plurality of routers and networks. Content is delivered through the Internet as described above. On the other hand, however, it becomes possible for a user to record digital broadcast content, etc. and deliver the content to the unspecified number of persons. Under such circumstances, requests for limiting the use of content to users who duly purchased the content are being proposed by content holders, etc.
For example, to prevent delivery of content to the unspecified number of persons, an idea to limit the number of times that content passes through a router has been proposed (see Non-patent Document 1). Hereinafter, operations of the proposed system will be described with reference to FIG. 2. Here, consideration will be made on a case where content is delivered to a delivery destination terminal 30 connected to a delivery destination network 2 from a delivery source terminal 10 connected to a delivery source network 1. First, a device authentication controller 13 of the delivery source terminal 10 checks if the delivery destination terminal 30 is a right device, exchanges information used to generate a content encryption key with the delivery destination terminal 30, and shares an encryption key with the delivery destination terminal 30. In addition, the delivery destination terminal 30 checks if the delivery source terminal 10 is a right device, as required. When the delivery destination terminal 30 is verified to be a right device, delivery of the content is practically initiated. If it is judged that the delivery destination terminal 30 is not a right device, the content will not be delivered.
To deliver content, a content encryption unit 14 executes the following steps of: generating a key to encrypt content by using information for generating a key to encrypt the shared content; encrypting content to be delivered by using the encryption key, creating a packet in which the delivery destination address on network and the port, the delivery source address and the port, the maximum number of times that the content passes through the router (hereinafter referred to as TTL: Time to Live), etc. are configured in header; and delivering the encrypted content to the delivery source network 1 via a delivery controller 11. A router 20 refers to the delivery destination address of the packet, detects that the address is an address managed by the delivery destination network 2, and delivers the packet to the delivery destination network 2. The delivery destination terminal 30, upon confirming that the packet is addressed to the delivery destination terminal 30, receives the packet, generates a content encryption key by using information for generating a shared key to encrypt the content, decrypts the encrypted content by using the key, and uses the content.
Hereinafter, operations of the router 20 will be described in detail. When the router 20 receives the packet sent by the delivery source terminal 10, a routing controller 21 judges, by referring to a routing table 22, if transmission of the packet which has a delivery destination address and a port, and a delivery source address and a port that are stored in the header of the packet has been permitted or prohibited. If transmission has been permitted, the routing controller 21 subtracts “1” from the value stored in TTL of the header and updates the TTL, thus showing that the packet has passed the router. Here, if subtraction of “1” from the TTL value results in “0”, the routing controller 21 does not allow the packet to pass through the router even if transmission of packets is permitted and notify the delivery source terminal 10 of the status accordingly. When subtraction of “1” from the TTL value results in a value exceeding “0”, the routing controller 21 transmits the packet to the delivery destination network 2. In addition, when transmission of the packet is prohibited in the routing table 22, the packet will not be transmitted to the delivery destination network 2.
As stated above, by limiting the value that is configured for TTL by the packet creation unit 12 of the delivery source terminal 10, it is possible to limit and determine the network through which content is delivered, thus enabling to prevent delivery of content to the unspecified number of persons. In addition, in non-patent document 1, the TTL value should be set to “3” or below. More specifically, the number of routers through which content can pass is limited up to 2.
With the content delivery system stated above, a method of managing TTL values with the delivery source terminal 10 or the router 20 constitutes an important factor.
[Non-Patent Document 1] DTCP Volume 1, Supplement E, “Mapping DTCP to IP” (Informational Version), DRAFT Revision 0.9, Sep. 12, 2003 (pp. 18, V1SE.6.2).